ipsec: Disable compression in system policy

Compression in IPsec is slow (strongSwan only supports
DEFLATE) and there are security concerns about it
revealing information about the plaintext.

So for a little gain in bandwith, it does not seem to
be right to take that risk right now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Fix typos in CLI parsing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: List "performance" as read-only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bash-autocompletion: fix typos

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: add basic bash completion for ipsec

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

raw: add command new list-vpn-security-policies-all

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

raw: add new command list-ipsec-connections

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

raw: add new command ipsec-connection-exists

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpn-security-policies: add new function vpn_security_policies_list_all

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: add new function ipsec_list_connections

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix typo

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wpa_supplication: Correctly escape SSIDs with spaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vti: Disable policy lookups for VTI devices

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Check PSK for a good length

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Fix typo in warning message

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Fix another shell syntax error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Always make value of AUTH_MODE uppercase

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Add connection show command

This shows the current configuration of a connection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Fix another bash syntax error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Fix typo

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Move connections to /etc/network/vpn/ipsec/connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Makefile: Fix alphabetical order

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpn: Move VPN CLI functions into separate files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

route: Move CLI functions into functions file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network: add new ipsec functionality

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: add new functions

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config hook: prevent two hooks with the same settings

A ipv4-static config with the same IPv4 address twice is senseless.
A new function zone_config_check_same_setting is introduced.
The function provides an easy way to check if a config
of the given hook has the same value for a given key.
We can now check inside hook_new if an ipv4-static or ipv6-static config
with the same value exist and break with an error.

Fixes: #11418
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

autocompletion: use hids instead of ids

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

raw: add command zone-config-hid-is-valid

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

raw: add command list-zone-config-hids

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-config: add generic hook_hid function

This function will always be there so when we call hook_hid we will get a result.
This is also nice for testing.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hook: also hook_hid is a valid command

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: config list print also hids

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: accept also hids in zone_config()

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: add config hid functions

These are the basic functions to work with hids.

Fixes: #11406
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone: refactor hook_config_destroy

We now just bring the hook down, execute hook_destroy which can be not empty inside the hook,
because it is defined in src/header-config.
After this we delete the config file.

Fixes: #11416
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: new function zone_config_settings_destroy

Similar to zone_config_settings_write and zone_config_settings_read
this function provides an easy way to delete a config file.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

autocompletion: improve config part

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network: add new raw command zone-config-id-is-valid

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network: add new raw command list-zone-config-ids

This commands make it possible to list all used ids
for a zone from the command line.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: add new function zone_config_list_ids

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove support for Rapid Spanning Tree Protocol

The userspace daemon is not very stable and unfortunately
not very well tested so that reliable use of it is impossible
right now.

We keep supporting STP as implemented in the Linux kernel
which has some disadvantages, but has proven to be more solid.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Add new "performance" policy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove overcomplicated list assignment which doesn't work

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix syntax error after line-break

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Log return code of commands only if something failed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

list: Make use of the assign function to set variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-port: Remove unsafe use of eval

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

list: Remove unsafe use of eval

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-polices: Improve modification of cipher lists

This now supports setting a cipher list in one command and returns
some useful warnings when an intended change could not be performed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

batman-adv: Use correct functions to read from /sys/class/net

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Improve performance of reading files from the device tree

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add support for VTI interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Add function to generate ESP proposal for strongswan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Add function to generate AH proposal for strongswan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

securiy-policies: Enhance system policy to support elliptic curves

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Show descriptions for group types

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Add all supported group types

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix typo in integrity description

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Show integrity with description

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Add all supported integrity for now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Show description for each cipher instead of handle

This is easier and nicer to read

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Import all ciphers that we support for now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Turn VPN_SUPPORTED_CIPHERS into an associative array

This allows us to store meaningful descriptions with the handles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Avoid lines getting too long

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-polices: Create a system policy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Show policy after it has been created

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Check if default policy exists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Do not empty $dst when source file cannot be read

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-polcies: Only allow creating one policy at a time

This keeps the function easier and lets it return a better error code
when ever something goes wrong.

I don't expect to do anyone doing this in bulk.

I also changed some of the error messages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

security-policies: Improve coding style

No functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Remove trailing dot from log message

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Move comment to right spot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Make function handle paths with spaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add vpn security policies to cli

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hook: return error codes to previos functions

When we call an hook we should not exit with the error code.
Instead we should return the code to the function that called that hook function.
So we candle handle errors better.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: fix zone_new

Everytime somethings goes wrong when we call hook_new we wannt to call zone_destroy.
Not only when we get an EXIT_ERROR also when we get an EXIT_CONF_ERROR and so on.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone: refactor hook_edit nad hook_new

We now return error codes and break when something important goes wrong.
because of that, we have to split hook_new and hook_edit.
When zone_settins-read fails in hook_edit we cannot go but it would every time we would call it in hook_new.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv4-static: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-auto: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-static: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: create hook_parse_cmdline function

This patch just split the parsing of the cmd line
into a separate function to allowing an edit with the generic hook_edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

list: fix a bug

When the list is called "list" we have a problem because
${list}="list"
and ${!list}="list"
This creates effects nobody wants and which are also not so easy to understand.
To avoid such problems in the future we now throw an assertation when the list is called list.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config: improve config_get_id_from_config and config_get_hook_from_config

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

add new feature vpn security policies

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

constants: add new constant NETWORK_SHARE_DIR

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: add new function copy

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove empty files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remember to start DHCP servers once started

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-config: add generic hook_edit function

If a hook_parse-cmdline function exists
this functions allows it do edit the hook safely.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config: add new functions

This patch add two new functions:
config_get_id_from_config()
config_get_hook_from_config

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: check the config indide the hook_parse_cmdline() function

We now check the config inside the hook_parse_cmdline function.
This mae it possible ti use this function in a generic edit function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-zone fix hook_config_edit()

This function accepted only two arguments so new cmd coudl be passed.
We accept now more then 2 arguments.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zone: fix zone_config()

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listlength function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listmatch function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop deprecated listsort function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Import CODING_STYLE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move license into docs directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: remove useless delay setting

Fixes: #11420
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>